Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Attackers Targeting MS13-055 IE Vulnerability

Attackers are using an Internet Explorer vulnerability, which Microsoft patched yesterday, in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages. The exploit that’s being used is capable of bypassing both ASLR and DEP.

Attackers are using an Internet Explorer vulnerability, which Microsoft patched yesterday, in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages. The exploit that’s being used is capable of bypassing both ASLR and DEP.

The attacks are exploiting a memory corruption vulnerability in IE (CVE-2013-3163), one that Microsoft patched on Tuesday as part of its monthly patch cycle. The bug was addressed by bulletin MS13-055 and Microsoft officials also said that users who have EMET 4.0 installed, which includes additional memory protections. The attacks themselves appear to be limited and targeted right now, but with the details of the vulnerability now public, that may change.

“The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and code execution. The Flash file is made of a sophisticated ActionScript code that allocates certain objects in memory in such a way that they can be corrupted later by the Internet Explorer bug in order to give unsafe access to memory regions to the Flash ActionScript code that will carry on the entire exploitation,” Microsoft’s Cristian Craioveanu and Elia Florio wrote in an analysis of the attacks.

In the attack scenario described by Microsoft, attackers are constructing malicious Web pages that they’re then using to trigger the bug in vulnerable versions of IE. The MS13-055 patch issued yesterday applies to IE 6-10, which are all of the current versions. Once the vulnerability is triggered, the code then installs the malicious Flash file.

“The common pattern for this limited targeted attack is a drive-by webpage ‘vid.aspx’ or ‘list.aspx’ used as starting point to trigger the bug and run the secondary Flash payload,” the analysis says. “The shellcode used by the sample received attempts to download a graphic file (pageerror.gif) which contains appended an encrypted and compressed malicious executable, possibly launched from %TEMP% folder using ‘javae.exe’ filename.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.